Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-21883

Good to know:

icon
icon
icon

Date: January 7, 2026

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.

Severity Score

Related Resources (7)

https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v
https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883/
https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883
https://github.com/bokeh/bokeh
https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e
https://nvd.nist.gov/vuln/detail/CVE-2026-21883
https://www.mend.io/vulnerability-database/CVE-2026-21883

Severity Score

Weakness Type (CWE)

Missing Origin Validation in WebSockets

CWE-1385

Top Fix

icon

Upgrade Version

Upgrade to version bokeh - 3.8.2;https://github.com/bokeh/bokeh.git - 3.8.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us